SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264

0003248: Snort don't start after update to EFW Community 2.4.1 - MantisBT Endian Bugtracker
Endian Issue Tracker





Please see now our new Bugtracker system: JIRA








View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0003248Endian FirewallIntrusion Preventionpublic2010-11-04 09:352010-11-09 10:10
ReporterEDV-Team 
Assigned Tolorenzo-endian 
PrioritynormalSeveritymajorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version2.4 
Target VersionFixed in Version2.4.1 
Summary0003248: Snort don't start after update to EFW Community 2.4.1
DescriptionAfter updating our Endian Firewall to version 2.4.1, Snort don't start anymore.

/var/log/messages says:

Nov 4 00:12:55 Endian-Firewall snort[9334]: FATAL ERROR: /etc/snort/processed.rules(17) Invalid tag arguments: session

After disabling the automatic Snort rules update feature in the Endian web-interface, the snort service starts successful and "/etc/init.d/snort status" tells me that "snort (pid 3958) is running..."
TagsNo tags attached.
Attached Files

- Relationships
related to 0003177closedchristian-endian emergingthreats changed URL 

-  Notes
(0005008)
lorenzo-endian (manager)
2010-11-04 17:48

I am not able to reproduce this bug;
In any case, I have seen that in some cases snort takes some time to start or it is in running but the dashboard shows snort as "OFF".

Could you please try to re-enable "Automatically fetch SNORT rules", reboot the fw and check if it is started both from the shell and from the dashboard?

Moreover, I did not find the same entry in the /var/log/messages as it happen for you.

Thanks in advace
(0005010)
ytech (reporter)
2010-11-04 22:57

I´m also having the same problem, i tried all that is listed above but nothing happens. Apears to be a bug. I ve seen in another foruns others having the same problem
(0005011)
vlongjvc (reporter)
2010-11-05 06:11

Dear ytech,

Please check the version of Snort that you are using, Emerging threat has changed the URL that using for updating IDS/IPS signature.

I am using EFW 2.4 (Snort version 2.8.5) so I changed /var/efw/snort/default/settings to
SNORT_RULES_URL=http://rules.emergingthreats.net/open/snort-2.8.4/emerging.rules.tar.gz [^]
If I change to SNORT_RULES_URL=http://rules.emergingthreats.net/open/snort-2.8.6/emerging.rules.tar.gz [^]
I have the same phenomenon above (FATAL ERROR: /etc/snort/processed.rules(17) Invalid tag arguments: session)
(0005012)
lorenzo-endian (manager)
2010-11-05 07:56

Ok, this morning I can reproduce the bug, but for me this bug happen with

SNORT_RULES_URL=http://www.emergingthreats.net/rules/emerging.rules.tar.gz [^]

or

SNORT_RULES_URL=http://rules.emergingthreats.net/open/snort-2.8.4/emerging.rules.tar.gz [^]

or

SNORT_RULES_URL=http://rules.emergingthreats.net/open/snort-2.8.6/emerging.rules.tar.gz [^]
(0005013)
EDV-Team (reporter)
2010-11-05 08:44
edited on: 2010-11-05 08:46

I changed the following line in /var/efw/snort/default/settings from

SNORT_RULES_URL=http://www.emergingthreats.net/rules/emerging.rules.tar.gz [^]

to

SNORT_RULES_URL=http://rules.emergingthreats.net/open/snort-2.8.4/emerging.rules.tar.gz [^]

and removed the "settings" and "settings.old" files from /var/efw/snort/

After that i enabled IPS in the web-interface again and all seems to work now.

The default URL "http://www.emergingthreats.net/rules/emerging.rules.tar.gz" [^] is unavailable.

(0005021)
cmateski (reporter)
2010-11-05 16:24

I was experiencing the same problem. I followed the rules provided by the EDV-Team and it appears to be fixed. On the status page, IDS shows "running".

A new issue appears to have surfaced. When I push the "Update Rules Now" button, I get back a spinning dial with the following message, "Intrusion Prevention Systemis restarted. Please hold...". It stays up for a very long time and does not appear to finish. If I leave the page and come back it will report the rules updated.




+++++++++++++++++++++++++++++++++++
(0005013)
EDV-Team (reporter)
2010-11-05 09:44
edited on: 2010-11-05 09:46

I changed the following line in /var/efw/snort/default/settings from

SNORT_RULES_URL=http://www.emergingthreats.net/rules/emerging.rules.tar.gz [^] [^]

to

SNORT_RULES_URL=http://rules.emergingthreats.net/open/snort-2.8.4/emerging.rules.tar.gz [^] [^]

and removed the "settings" and "settings.old" files from /var/efw/snort/

After that i enabled IPS in the web-interface again and all seems to work now.

The default URL "http://www.emergingthreats.net/rules/emerging.rules.tar.gz" [^] [^] is unavailable.
(0005022)
ra-endian (administrator)
2010-11-05 17:43

with the latest deployed version everything should works now.
(0005031)
Anonymous (viewer)
2010-11-07 06:38

It is still not fix.

While running the efw-upgrade to get the fix, the screen show some sort of error
(crul *: cannot open the spesified website...)

Then i reboot the system. Turn off Snort and turn it on back. <-- no problem here

but when click the the "Update Rules Now" the screen whill keep on going with "Starting Snort" for ever..
(0005034)
pwizard (reporter)
2010-11-08 01:53

After running smart update & smart upgrade
when click the the "Update Rules Now" the screen whill keep on going with "Starting Snort" for ever..

Confirmed.
(0005053)
lorenzo-endian (manager)
2010-11-09 10:10

Hi pwizard,

this problem is not related direclty to snort but to the communication between the web interface and the processes running in background.

We are working to solve that problem, but the problem related direclty to snort is solved for us, so I close this ticket now.

Thanks a lot

Lo

- Issue History
Date Modified Username Field Change
2010-11-04 09:35 EDV-Team New Issue
2010-11-04 10:31 ra-endian Assigned To => lorenzo-endian
2010-11-04 17:48 lorenzo-endian Note Added: 0005008
2010-11-04 17:48 lorenzo-endian Status new => feedback
2010-11-04 22:57 ytech Note Added: 0005010
2010-11-05 06:11 vlongjvc Note Added: 0005011
2010-11-05 07:49 ra-endian Severity minor => major
2010-11-05 07:49 ra-endian Relationship added related to 0003177
2010-11-05 07:56 lorenzo-endian Note Added: 0005012
2010-11-05 07:56 lorenzo-endian Status feedback => confirmed
2010-11-05 08:44 EDV-Team Note Added: 0005013
2010-11-05 08:46 EDV-Team Note Edited: 0005013
2010-11-05 16:24 cmateski Note Added: 0005021
2010-11-05 17:43 ra-endian Note Added: 0005022
2010-11-05 17:43 ra-endian Status confirmed => resolved
2010-11-05 17:43 ra-endian Resolution open => fixed
2010-11-05 20:09 ra-endian Status resolved => closed
2010-11-05 20:09 ra-endian Fixed in Version => 2.4.1
2010-11-07 06:38 Anonymous Note Added: 0005031
2010-11-07 06:38 Anonymous Status closed => feedback
2010-11-07 06:38 Anonymous Resolution fixed => reopened
2010-11-08 01:53 pwizard Note Added: 0005034
2010-11-09 10:10 lorenzo-endian Note Added: 0005053
2010-11-09 10:10 lorenzo-endian Status feedback => closed
2010-11-09 10:10 lorenzo-endian Resolution reopened => fixed

Copyright © 2005-2008 Endian, SRL. All rights reserved.


Copyright © 2000 - 2012 MantisBT Group
Powered by Mantis Bugtracker